Joshua B. Hill - Introduction to Cybercrime: Computer Crimes, Laws, and Policing in the 21st Century

Recent Titles in
Praeger Security International Textbooks

Essentials of Strategic Intelligence

Loch K. Johnson, editor

Essentials of Counterterrorism

James J. F. Forest, editor

Copyright 2016 by Joshua B. Hill and Nancy E. Marion

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, except for the inclusion of brief quotations in a review, without prior permission in writing from the publisher.

Library of Congress Cataloging-in-Publication Data

Names: Hill, Joshua. | Marion, Nancy E.

Title: Introduction to cybercrime : computer crimes, laws, and policing in the 21st century / Joshua B. Hill, Nancy E. Marion.

Description: Santa Barbara, CA : Praeger, 2016. | Series: Praeger security international textbook | Includes bibliographical references.

Identifiers: LCCN 2015036592| ISBN 9781440832734 (hardback) | ISBN 9781440835339 (paperback) | ISBN 9781440832741 (ebook)

Subjects: LCSH: Computer crimes. | Computer crimesPrevention. | InternetSecurity measures. | BISAC: COMPUTERS / Internet / Security. | LAW / Communications.

Classification: LCC HV6773 .H554 2016 | DDC 364.16/8--dc23 LC record available at http://lccn.loc.gov/2015036592

ISBN: 978-1-4408-3273-4

Paperback ISBN: 978-1-4408-3533-9

EISBN: 978-1-4408-3274-1

201918171612345

This book is also available on the World Wide Web as an eBook.

Visit www.abc-clio.com for details.

Praeger

An Imprint of ABC-CLIO, LLC

ABC-CLIO, LLC

130 Cremona Drive, P.O. Box 1911

Santa Barbara, California 93116-1911

This book is printed on acid-free paper

Manufactured in the United States of America

To Madeline Noca Francis-Hill!

Contents

CHAPTER ONE

Introduction

Introduction: Target Breach

IN DECEMBER 2013, AT THE PEAK OF THE holiday shopping season, U.S. retailer Target announced that the company had suffered a major security breach and that, as a result, about 40 million customers had their payment card details stolen (including their card numbers, expiration dates, CVV security codes, and PINs), and another 70 million customers were at risk of losing personal records such as email addresses. Those responsible for the theft could, in turn, sell the stolen information on the black market where it could be used to cause further damage to the original victims. Target officials attempted to diminish the impact of the damage by reporting that the stolen PIN data was encrypted at the terminal as the customer entered their information, and that the encryption key was not stored on Targets systems but instead by the payment processor. Since the key was not stolen in the breach, the possible danger to victims was limited, according to Target.

It was later discovered that the information was stolen using Kaptoxa malware (a derivative of BlackPOS, a point of sale malware) that had been installed on Targets point-of-sale terminals. BlackPOS was originally created by a 17-year-old hacker from Russia who sold the software to cybercriminals. These criminals then used the software to carry out cyberattacks on merchants. The attackers used credentials that they had stolen from a heating, ventilation, and air conditioning supplier, Fazio Mechanical Services, that had access for business reasons (i.e., electronic billing, contract submission and project management). Once the malware was installed on Targets machines, it went undetected for about 19 days, during which time the criminals continued to collect customers data.

The attack on Target occurred in two stages. In the first, the hackers installed the malware on only a limited number of Targets point-of-sale systems as a way to test the software and see if it worked. After that, the

The effects of the crime were far reaching. For Target itself, the breach led to a 46 percent drop in net profits during a critical holiday shopping season.

Other ramifications were seen in the company. In March 2014, the chief information officer of Target, Beth Jacob, announced her resignation. Company officials replaced her with a new chief information security officer. Target has also made changes to its security and technology divisions and improved its cash registers. MasterCard and other card companies have increased security on credit cards by adding microchips to credit and debit cards that are almost impossible to copy. Moreover, when a user makes a purchase with a card, the chips in the card allows for a code that is used only one time. So the data, if stolen, is useless to anyone else.

But the effects of the Target breach were much wider. Not long after the attacks, two banks (Green Bank from Houston, Texas, and Trustmaker National Bank from New York) announced that they had plans to sue Target as well as Trustwave, a security firm that was supposed to ensure security at Target. Officials from the banks explained that Trustwave failed to protect Targets customer data and that they were forced to spend $172 million to replace customer payment cards that had been compromised during the breach.

A settlement in April 2015 addressed these concerns. Target agreed to set aside up to $19 million for banks and credit unions that had issued the MasterCards involved in the breach and had to reissue the cards. The money would help the banks pay for the operating costs and losses on the cards that were affected. Not all banks were happy with the settlement, however. Smaller banks, which are typically forced to pay more for reissuing fees, wanted to see a higher settlement.

Unfortunately, data shows that an increasing number of computer systems have been infected with the Kaptoxa malware that was used in the Clearly this means that any company could become a victim of a cyberattack at any time, and such an attack would affect thousands of individuals alongside the targeted company.

Breaches like the one Target faced are not unusual in todays world. Cyberattacks appear in many forms and range from relatively harmless (such as changing the content on a website) to perilous (such as data being stolen and used to steal identities or trade secrets). Any organization, public or private, may be victimized by cybercriminals. Government agencies at all levels (federal, state, or local) have been victimized. Large and small companies in the United States and globally have had data stolen. Private individuals have also been victimized by cybercriminals. In essence, anyone who relies on a computer for daily activities can become a victim.

These attacks can cause great harm to business and individuals alike, including financial ruin and other long-term problems. In many of these attacks, victims have lost sensitive and confidential information, such as personal data and company secrets, leading to identity theft and monetary losses. Businesses have suffered not only from financial losses but also from damages related to lost business secrets and strategies. Government sites and politicians accounts have been hacked, and the hackers have released political secrets to the public that resulted in tense relationships on the international front. Once victimized, individuals, businesses, and governments must pay thousands of dollars in response to these attacks as they attempt to recover.